Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

  1. cromulant

    cromulant MDL Novice

    Aug 12, 2015
    9
    2
    0
    Windows Defender deletes the script. :/

    Guessing I can't do anything besides adding manually an exclusion for that folder within Defender, right?
     
  2. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    2,194
    2,630
    90
    #62 Dark Dinosaur, Nov 17, 2021
    Last edited: Nov 17, 2021
    maybe delete Windows defender :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Powershell -C "Get-MpPreference"

    Code:
    AttackSurfaceReductionOnlyExclusions          :
    AttackSurfaceReductionRules_Actions           :
    AttackSurfaceReductionRules_Ids               :
    CheckForSignaturesBeforeRunningScan           : False
    CloudBlockLevel                               : 0
    CloudExtendedTimeout                          : 0
    ComputerID                                    :
    ControlledFolderAccessAllowedApplications     :
    ControlledFolderAccessProtectedFolders        :
    DisableArchiveScanning                        : True
    DisableAutoExclusions                         : True
    DisableBehaviorMonitoring                     : True
    DisableBlockAtFirstSeen                       : True
    DisableCatchupFullScan                        : True
    DisableCatchupQuickScan                       : True
    DisableEmailScanning                          : True
    DisableIntrusionPreventionSystem              :
    DisableIOAVProtection                         : True
    DisablePrivacyMode                            : True
    DisableRealtimeMonitoring                     : True
    DisableRemovableDriveScanning                 : True
    DisableRestorePoint                           : True
    DisableScanningMappedNetworkDrivesForFullScan : True
    DisableScanningNetworkFiles                   : True
    DisableScriptScanning                         : True
    EnableControlledFolderAccess                  : 0
    EnableFileHashComputation                     : False
    EnableLowCpuPriority                          : False
    EnableNetworkProtection                       : 0
    ExclusionExtension                            :
    ExclusionPath                                 :
    ExclusionProcess                              :
    HighThreatDefaultAction                       : 0
    LowThreatDefaultAction                        : 0
    MAPSReporting                                 : 0
    ModerateThreatDefaultAction                   : 0
    PUAProtection                                 : 0
    QuarantinePurgeItemsAfterDelay                : 0
    RandomizeScheduleTaskTimes                    : False
    RealTimeScanDirection                         : 0
    RemediationScheduleDay                        : 8
    RemediationScheduleTime                       : 00:00:00
    ReportingAdditionalActionTimeOut              : 0
    ReportingCriticalFailureTimeOut               : 0
    ReportingNonCriticalTimeOut                   : 0
    ScanAvgCPULoadFactor                          : 5
    ScanOnlyIfIdleEnabled                         : False
    ScanParameters                                : 0
    ScanPurgeItemsAfterDelay                      : 0
    ScanScheduleDay                               : 8
    ScanScheduleQuickScanTime                     : 00:00:00
    ScanScheduleTime                              : 00:00:00
    SevereThreatDefaultAction                     : 0
    SharedSignaturesPath                          :
    SignatureAuGracePeriod                        : 0
    SignatureDefinitionUpdateFileSharesSources    :
    SignatureDisableUpdateOnStartupWithoutEngine  : True
    SignatureFallbackOrder                        : 0
    SignatureFirstAuGracePeriod                   : 0
    SignatureScheduleDay                          : 8
    SignatureScheduleTime                         : 00:00:00
    SignatureUpdateCatchupInterval                : 0
    SignatureUpdateInterval                       : 0
    SubmitSamplesConsent                          : 2
    ThreatIDDefaultAction_Actions                 :
    ThreatIDDefaultAction_Ids                     :
    UILockdown                                    : True
    UnknownThreatDefaultAction                    : 0
    PSComputerName                                :
    
    My Result to permanently Disable Defender not coming back in any scenario.
     
  4. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    What script gets deleted?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. #66 Deleted member 1385001, Nov 18, 2021
    Last edited by a moderator: Feb 20, 2022
    Bat Script to remove Defender Packages Using same St1ckys Method :

    Code:
    @echo off
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Write-Host 'Removing Defender Permanently' -EA SilentlyContinue -ForegroundColor Green -Verbose"
    Powershell -EP Bypass -MTA -NOL -NONI -NOP -C "Set-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Name Visibility -Value 1 -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Include *Owner* -Recurse -Force -EA SilentlyContinue -Verbose"
    Powershell -C "Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*Windows-Defender*' -Name | ForEach-Object  {dism /online /remove-package /PackageName:$_ /NoRestart}"
    
     
  6. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    2,194
    2,630
    90
    #67 Dark Dinosaur, Nov 18, 2021
    Last edited: Nov 18, 2021
    now I have 3 ways to completely remove this s**t
    make sure it really gone,
    maybe delete the whole folder is not enough :D
    Code:
    call :export cson > "%temp%\Windows.10.Defender_Uninstall.ps1"
    >nul 2>&1 powershell -noprofile -executionpolicy bypass -file "%temp%\Windows.10.Defender_Uninstall.ps1"
    
    for %%A IN (WinDefend, WdBoot, WdFilter, Sense, WdNisDrv, WdNisSvc) do (
        >nul 2>&1 sc config %%A start=disabled
        >nul 2>&1 sc stop %%A
        >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%%A" /f
    )
    
    for %%A IN (SecurityHealthService.exe, SecurityHealthSystray.exe, smartscreen.exe, MpCmdRun.exe) do >nul 2>&1 taskkill /im %%A
    >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Defender" /f
    >nul 2>&1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /f
    
    set Key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features"
    >nul 2>&1 call :reg_own !key! "" S-1-5-114 "" Allow FullControl
    >nul 2>&1 call :reg_own !key! "" S-1-5-32-544 "" Allow FullControl
    >nul 2>&1 REG ADD !Key! /f /v DisableAntiSpyware /t REG_DWORD /d 1
    >nul 2>&1 REG ADD !Key! /f /v TamperProtection /t REG_DWORD /d 0
    
    >nul 2>&1 call :DestryFolder "%ProgramFiles%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ProgramFiles(x86)%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ALLUSERSPROFILE%\Windows Defender"
    >nul 2>&1 call :DestryFolder "%ProgramFiles%\Windows Defender Advanced Threat Protection"
    >nul 2>&1 call :DestryFolder "%ProgramFiles(x86)%\Windows Defender Advanced Threat Protection"
    >nul 2>&1 call :DestryFolder "%ALLUSERSPROFILE%\Microsoft\Windows Defender Advanced Threat Protection"
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    Massive Usability Improvements for 2022!
    - my RunAsTI context menu .reg for folders and files (exe, msc, bat, cmd, reg), even shows up on the s**tty Windows 11 ;)
    - RunAsTI simplified (just one variant - the best one) and with improved cmd + arguments parsing. Works with any paths!
    - reg_own with powershell style arguments, much improved handling of recursively denied permissions (when you don't even have access to view them), -list switch will show rights even when regedit fails!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. fLOW.

    fLOW. MDL Senior Member

    Jul 28, 2009
    468
    525
    10
  9. migascalp

    migascalp MDL Member

    Sep 18, 2009
    144
    115
    10
    A little forget ? :)
     
  10. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    Fixed that typo!
    And added Open Powershell as trustedinstaller entry on directory background (RunAsTI.reg)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    2,194
    2,630
    90
    #73 Dark Dinosaur, Jan 18, 2022
    Last edited: Jan 18, 2022
    @BAU you da man!
    very handy tool :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. fLOW.

    fLOW. MDL Senior Member

    Jul 28, 2009
    468
    525
    10
    You mean you can reproduce that behavior on release channel but not on dev? I was thinking about doing an in-place upgrade but if that's the case... :rolleyes:
     
  15. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    Yep, I can now reproduce it on a clean install up-to-date release 11. On dev it's been fine.
    It starts with an empty non-responsive window, that later gets painted and it recovers.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args

    Please test the new workaround! I'm using control admintools since that one is not hindered, then sendkeys with the location - I know, crazy, but it works!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. fLOW.

    fLOW. MDL Senior Member

    Jul 28, 2009
    468
    525
    10
    Works good, ty! UI a bit bugged (at least when using dark theme) but that's just Windows being Windows :rolleyes:
     
  18. geepnozeex

    geepnozeex MDL Junior Member

    Oct 21, 2014
    51
    38
    0
    #79 geepnozeex, Feb 12, 2022
    Last edited: Feb 12, 2022
     
  19. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,564
    60
    If you just copy pasted the script without modifications in powershell,
    it is gonna open an explorer window at Control Panel\System and Security\Administrative Tools (as TI). From there you can just select Registry Editor, or Ctrl+L for address bar and enter there regedit

    Or use it as a function (like instructed):
    first copy-paste RunAsTI snippet in powershell - it's clearly delimited between #########################################################
    then simply enter: RunAsTI regedit

    See more examples under USAGE
    - like launching programs with parameters: RunAsTI cmd '/k "whoami /all & color e0"'
    - or launch powershell as TI (because in your screenshot you're still in the normal powershell): RunAsTI powershell
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...